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01 - WHAT IS A DATA BREACH? 


WHAT IS A DATA BREACH? 
GENERAL DEFINITION 


A data breach is e. g. ... 


... а breach of security, leading to a breach of the protection 
of personal data 
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General Data Protection Regulation Article 4 (12)*: 


A personal data breach' means a breach of security leading to the accidental 
or unlawful 11088 ; of, or 


to, personal data transmitted, stored or otherwise processed; 


A data breach is therefore, for example ... 


„an 

= e.g.:erasure, destruction, loss etc. of personal data 
.. and/or an 

" 6.9. modification (unintentional or unlawful) of personal data 
. and/or a 


= 6.9. unauthorized disclosure, use, unauthorized access of/to 
personal data 


"identical in content with 83 Nr. 30a Telecommunications Act 


02 - EXAMPLES FOR DATA 
BREACHES 


EXAMPLE FOR A DATA BREACH: 
BREACH OF AVAILABILITY 


EXAMPLES: 

= Data” has been deleted (unlawfully / unintentionally). 

= Data” has been encrypted and can no longer be decrypted because, for example, the key has been irrevocably deleted. 
= Data” was stored on a backup (e.g. on an external hard disk). Access to the backup is not possible anymore. 


= An(encrypted) USB stick with data* was lost. 


БЫ Whether unintentional or unlawful, it does not depend on the circumstances о the data breach. uhi 


in | E ини LIFE IS FOR SHARING. * personal data is meant 


EXAMPLE FOR A DATA BREACH: 
BREACH OF INTEGRITY 


EXAMPLES: 


= Due to an incorrect authorization concept, the data was changed. 
= Acall center agent assigns the bank account number of customer А to customer B due to a work error. 


= Incorrect, falsified or adulterated data leads to incorrect bookings, incorrect deliveries or faulty products because they are 
assigned to the wrong person. 


= After a hacker attack on the Telekom customer center, the delivery address of an unusually high number of customers was 
changed. 


= Acustomer is blackmailed for telephone terror. Call forwarding from 100 other customers has actually been set up for the 
connection of the affected customer in the customer center. 


БЫ Whether unintentional or unlawful, it does not depend on the circumstances of the data breach. uhi 
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EXAMPLE FOR A DATA BREACH: 
BREACH OF CONFIDENTIALITY 


EXAMPLES: N E S й 
= |ncorrect dispatch of invoices by e-mail, e.g. customer А receives invoice from customer В. х = 
= |ncorrect dispatch of order confirmations by e-mail, e.g. non-customer receives order confirmation intended for a customer. 


"» Agservice provider has inadvertently programmed a variable for the contract number in an advertising mail incorrectly, which 
means that it has not been individually adapted to the respective customer. Instead, the static contract numbers of two customers 
were used in all advertising mails. 


БЫ Whether unintentional or unlawful, it does not depend on the circumstances of the data breach. uhi 
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SPECIAL CASE 
DT COMPANY ACTS AS A PROCESSOR 


EXAMPLE OF A DATA BREACH 
SPECIAL CASE: DI COMPANY ACTS AS A PROCESSOR 


EXAMPLE OF SITUATION: 


= Telekom Deutschland GmbH (TDG) processes customer's personal data on the basis of commissioned data processing (e.g. 
cloud services). А corresponding agreement was signed with the customers for this purpose. In this case, Telekom Deutschland 
GmbH is "processor" and the customer is the "controller" within the meaning of the GDPR. 


= Па data breach occurs on the side of TDG (see slides 7-9), TDG is obliged to inform the customer ("controller") immediately. 


= The information must be provided by the respective (business) department (contractual partner). Group Privacy has to be 
informed only for information purposes in this case. 


= The customer checks the data breach and reports it to the relevant supervisory authorities if necessary. The TDG will support this 
If necessary. 


БЫ Whether unintentional or unlawful, it does not depend on the circumstances of the data breach. uhi 
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03 - HOW CAN DATA BREACHES BE 
REPORTED? 


REPORTING PROCEDURE IN CASE OF DATA BREACHES 


uleg- => 


data breach privacyOtelekom.de 


Data breaches can be reported 


to the functional mailbox privacy@telekom.de 


at any time. 
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COMPANIES INSIDE GERMANY 
PROCESS OVERVIEW 


e 
9. 


Data Privacy Coordinators 


PT 


data breach 


privacyOtelekom.de 


Employee of DT group 


Others (CERT, Group situation center, misuse detection, investigations etc.) 
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SPECIAL CASE: COMPANY OUTSIDE GERMANY 
PROCESS FOR REPORTING DATA BREACHES 


presento 


not 
Data Protection Authority 
(DPA) 


Data Privacy Officer 
(DPO) 


| reports the breach to 


privacyOtelekom.de 


employee 
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CONTENT OF THE REPORT TO PRIVACY OGTELEKOM.DE: 


= Reporting DT company: 


» Name of the DT company and the entity concerned / contact person at management level / e-Mail / pho 
= Exact presentation of the facts of the case: 

= When / how / Where / unintended or with purpose / affected persons... 
= Storage medium: 

= Workstation / It-system / mobile device / flash drive ... 
= Which personal data is effected: 


= Contact information / access data / identification data / banking data / other personal data / special categories of personal 
data / telecommunications traffic data / location data... 


= Whattechnical precautions have been taken to secure the personal data: 
= Security concept / encryption processes... 
= Were immediate measures taken to limit the damage / the risks for the data subjects affected? 


Attention: The data protection incident / breach must be reported, but not which specific person is affected. 
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04 - WHAT HAPPENS AFTER A 
NOTIFICATION TO GROUP 
PRIVACY? 


PROCEDURE FOR INCOMING DATA BREACH NOTIFICATIONS 
REPORTING OF DATA BREACHES 


After a report has been received by Group Privacy, experts will check your report immediately and initiate 
all further steps. 


(1 


oubsequently, appropriate measures for prevention are discussed and initiated immediately. 


If a data breach has occurred, it is then reported to the supervisory authorities and the affected persons 
are notified. 


y 
D е a? The first step is to assess whether this is a data breach and to assess the extent of the (possible) damage. 
(2) въ 

m 

y 
9) дка 


All data protection incidents must be documented for up to 5 years in accordance with 8 109a Para. 3 
Telecommunications Act / Article 33 (5) DSGVO. 
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05 - WHAT HAPPENS IF DATA 
BREACHES ARE NOT REPORTED? 


WHAT HAPPENS IF DATA BREACHES ARE NOT REPORTED? 
REPORTING OF DATA BREACHES 


nia == 02 


data breach privacyOtelekom.de 


Openness and transparency are decisive for our customers' trust in our company and our products. 
The hiding of a data breach would cause much more damage to the company than the disclosure of the data breach. 


A data breach must be reported to the responsible DPA within 24 (telecommunications) /72 hours (GDPR). "Pre-" Notifications to a DPA 
are also possible. A violation of the reporting obligation is an offence of a fine and can be punished with a high fine. 


i| | E H NH LIFE IS FOR SHARING. 


Ld 


LEGAL 
GROUNDS 


aet e 


Article 32 GDPR: 
Security of processing 


Article 33 GDPR: 
Notification of a personal data breach to the supervisory authority 


Article 34 GDPR : 
Communication of a personal data breach to the data subject 


Article 4 (12) GDPR : 
personal data breach 


623 und $30 BCRP: 
Duty to inform т case of infringements 
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OUR MISSION 


- 


CREATE AN ENVIRONMENT OF TRUST 


WITH OUR PRODUCTS AND SERVICES, WE AIM TO STRENGTHEN TRUST IN THE 
DEUTSCHE TELEKOM GROUP BRAND. 
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THANK YOU FOR YOUR 
ATTENTION! 


